digg

Join DiggAbout

Discover and share the best of the web!
Learn more about Digg by taking the tour.

Hardening OS X - A more secure OS X before Leopard.

blog.cocoia.com — I've made a how-to from tips by Jay Beale on the last DEFCON Security conference and some own security tweaks to improve the overall security of your OS X. Make sure some default settings that can allow for vulnerabilities are set properly, and tune your firewall rules. A more advanced follow-up is coming soon.

Bury
show profanity settings
expand all
  • GregR, on 10/12/2007, -3/+14Some good tips here, but:
    - if you have your account set up the way you want, then create a new user as advised here but make that the admin one (just don't call it admin or similar), put a good password on it and then make your user a 'normal' user.
    - if you have a hardware firewall, you don't need to turn on the software one
    • caliform, on 10/12/2007, -0/+7Not entirely true, well, true, but in some cases not. Some people may use the DMZ feature on their router, to allow traffic on all ports (i.e. when using P2P), or simply portfoward broad ranges of ports. Some of the suggestions help protect against exploits in things like CUPS. Otherwise, absolutely true. And thanks a lot for the extra input, I will add it! (with credit, natch ;))
    • trghpy, on 10/12/2007, -0/+16"- if you have a hardware firewall, you don't need to turn on the software one"
      Should be ignored by anyone using wireless, or behind improperly configured router, or those who allow others to be on their network.
    • trghpy, on 10/12/2007, -2/+5Oh just to remind people...
      Change your default password on your firewall or a javascript hack will change it for you.
    • fanboydcs, on 10/12/2007, -1/+16root and admin on a mac are not the same thing

      root = root

      admin = normal user with sudo access...

      non admin is a user with no sudo access...
    • robdazomba, on 10/12/2007, -2/+34> non admin is a user with no sudo access...

      I'm a Windows user but I'm considering a jump to OS X (maybe with the next rev of Apple machines.) One of the really nice touches I've seen in tinkering with OS X is that, even with a non-admin account, the OS prompts you for an admin account login and password if you want to do something outside the bounds of a regular account. That's such a simple idea but pure genius.
    • SamsLembas, on 10/12/2007, -16/+6This stuff is ridiculous. The OS is hardly even usable after doing all this stuff.
    • pinkgreenblue, on 10/12/2007, -1/+3Why wouldn't the account be named "admin"? I'm not being rude, this is a legitimate question.
    • konstantinos88, on 10/12/2007, -0/+2@gregr

      You got edited into the article!!
    • caliform, on 10/12/2007, -0/+1The follow-up is now availible.
  • trifixion, on 10/12/2007, -5/+3Nice writeup.
    • trghpy, on 10/12/2007, -1/+8good write up.

      Now feel vulnerable every time i use my blue tooth phone to get online.
  • ElectricSoup, on 10/12/2007, -1/+6"... tune your firewall rules."

    It is possible to change the ipfw firewall rules to suit one's particular purposes, but one needs to be aware that if one does the firewall can no longer be controlled from the GUI. That's fine for those who are happy at the CLI. Others might want to think twice.

    The obvious sources of information for configuring Mac OS X:

    http://images.apple.com/server/pdfs/Tiger_Server_Security_Config_021507.pdf

    http://images.apple.com/server/pdfs/Tiger_Security_Config_021507.pdf
    • caliform, on 10/12/2007, -0/+2Eya ElectricSoup, I made sure to state carefully that these tips can break things like Internet Sharing, Bonjour services, etc. But I think people are smart enough to simply disable the firewall when they feel like it is safe enough to do so. Good point made.
    • ilgaz, on 10/12/2007, -0/+1There were some GUI configurators for ipfw configuration. Simple ones are freeware/donationware and more advanced ones are payware.

      I mean if you don't want to buy a GUI firewall like Netbarrier and use built in ipfw easily.
  • MoeB, on 10/12/2007, -36/+7Why bother with all the configuration when you can use a more secure operating system like Vista right out of the box.
    • dragonflight, on 10/12/2007, -5/+27I sincerely hope that was supposed to be dripping with sarcasm.
    • robdazomba, on 10/12/2007, -12/+1Grow up, *****.
    • cmv0, on 10/12/2007, -2/+3Saying Vista (or any Windows) is more stable, secure, or better than Mac is like saying a chihuahua can take on a pitbull.
  • VhaidraU, on 10/12/2007, -1/+2I had done this on my last Mac, but forgot about this on my latest Mac, so I thank you for the reminder.
  • gafasiesornivek, on 10/12/2007, -10/+3Why do we need to harden the most secure OS on the face of the planet? I mean Mac's don't get viruses or trojans right? Right?
  • furyg3, on 10/12/2007, -1/+9Here's a guide that the NSA put together for Hardening OS X (Panther). It's a bit old, but most of the points apply to 10.4.

    http://www.nsa.gov/snac/downloads_macX.cfm
    • caliform, on 10/12/2007, -0/+3What I thought is incredibly cool is that in that document, they go on about camera's and microphones, and ensuring they are disabled. Pure genius. I will touch more on that document on my follow-up.
    • ilgaz, on 10/12/2007, -1/+1@Caliform there are many windows trojans in the wild which CAN enable Camera/Microphone remotely via Software. About OS X? Well you can't know that. If a person got root access to your machine, he can of course enable it via software (e.g. commands) too.
  • miker71, on 10/12/2007, -15/+5I thought Mac users were smug with their attitude of invulnerable OS? And too stupid to write any articles on security? That's what all my Windows using friends tell me as they pony up more money for antivirus and vulnerability fingerprint subscriptions rather than harden their systems and take time to understand attack vectors and overall risk.
    • ilgaz, on 10/12/2007, -3/+5Normal, non fanboy Mac users are interested in securing their computer, you can easily see from download numbers of security software at versiontracker.com

      The issue with non fanboys is: Symantec or some other company shows a NON propongating, not in the Wild virus (!) and adds PR crap at bottom of article and hopeless Unix nerds, Windows fanboys using it as a reference to claim Macs are insecure and users are stupid. That is what would make any sane person mad too. Doesn't need to be fanatic.
    • ilgaz, on 10/12/2007, -0/+2(of course I forgot I was replying to a comment on digg.com)
    • dbr_onix, on 10/12/2007, -1/+2As it stands, yes, OS X is "secure", and the fact it ships with no listening services running unless you specifically enable them, it doesn't run as an the root user, and that Apple are generally pretty good at releasing patches, with an update notifier far more noticeable than Window's (I've seen many computers where people just ignore the little yellow shield, or it's hidden by the "Hide inactive sys-tray icons" settings).
      But, one of the most common ways of infecting computers is currently (Well, "still") the "thisisnotatrojan.jpg.exe" method (Tricking people into running evil executables), which is more than possible on OS X, and given that most OS X machines don't have a virus scanner (unlike most WinXP machines sold in the last few years), such attacks are only really not a problem because the relatively small number of Mac's that are around currently..

      Anyway, this guide is not bad, don't really see how blocking UDP traffic will help security, and Tor really isn't any good for "securing" a machine, if you login to anything which you've signed up for without using Tor, or post any personal information, it's anonymizing-values are lost, using it on a laptop at an open-access point/public network makes more sense, but something like Hamachi, or SSH-tunneling would be a lot faster.
  • newbill123, on 10/12/2007, -0/+8I think the author overlooked the well worn advice to turn off the "Open 'safe' files after downloading" option in Safari's preferences. Most of the potential harm I hear about on the Mac are people exploiting this option by disguising something as a safe file.
  • ilgaz, on 10/12/2007, -2/+1Stealth mode is really, really needless especially on OS X. More info at:

    http://homepage.ntlworld.com/robin.d.h.walker/cmtips/security.html#stealth

    It is a windows paranoid mode which has nothing to do with OS X. In fact, an up to date and normally firewalled (non stealth) Windows with antivirus doesn't need "Stealth"' too.

    The idea is, you shouldn't have any ports which serves something (not NTP client) OPEN (not invisible) to outside World. Blocking UDP traffic will create nightmare on live audio/video streaming/online games too.

    FYI, Intego sells a $70 firewall "Netbarrier X4" and they don't enable stealth by default alerting it may create problems with ISP/Network.
  • joe90210, on 10/12/2007, -12/+4this is a badly needed guide considering OSX's abismal security record compared to XP and other OS, it's been consistently worse for the last few years and in 2006 alone it had more than double the number of vulnerabilities compared to XP.
    http://www.microsoft-watch.com/security%20snapshot.jpg
    • DaffyDuck, on 10/12/2007, -0/+4I guess there are different ways to look at it. A vulnerability is only a problem if it gets exploited.
    • Angostura, on 10/12/2007, -0/+5Interesting stats. One thing that is missing from the stats however (you can do the query here http://nvd.nist.gov/statistics.cfm) is the length of time to patch. So for example, I believe that there are several zero day exploits still unpatched in XP, but non in OS X> I could be wrong of course.

      I'll digg you up because you bring interesting information to light.
    • MonkeyFarts, on 10/12/2007, -0/+8I believe the word you're looking for is abysmal. But how can you possibly believe that _any_ os has a horrible security track record compared to Windows? I mean, you are joking, right? As Angostura above me said, that chart (where does it even come from? who made it?) does not say much of anything because of the fact that many vulnerabilities go unpatched for Windows; probably a lot more than what goes unpatched for OS X. I'm not saying that OS X is perfect by any means. It's just that statistics don't prove anything if there is no evidence backing them up.
    • Angostura, on 10/12/2007, -0/+1MonkeyFarts.

      The stats are legit and are graphed from the same place as I gave (the source is written on the graph) it's Homeland Security/CERT's national vulnerability database. I was surprised by the stats. Just because the guy has a spelling problem and has flamesque tendencies doesn't mean that the stats aren't right.
  • TonyCubed, on 10/12/2007, -3/+7Want a safe Operating System? Unplug the internet. :P
    • cmv0, on 10/12/2007, -3/+1I think i might try that, then i will have the most secure computer in the neighborhood. [/sarcasm]
  • aristotle0dude, on 10/12/2007, -4/+1For get what I said, these are stupid. They get in the way of productivity.
  • Jammerdelray, on 10/12/2007, -8/+2lol to all those saying apple was invulnerable, pwnd.
  • KyjL, on 10/12/2007, -5/+4OH MY GOD MY EYES ARE BURNING FROM THE WHITE-ON-BLACK LAYOUT
  • frozendice, on 10/12/2007, -0/+1What the HECK?! This is "hardening" OS X? This is pitiful! He didn't even mention the OBVIOUS FIRMWARE PASSWORD CHANGE. I'll see if I can find my OS X hardening list I made on my last reinstall.
    • caliform, on 10/12/2007, -0/+2Errr? Sorry, but Firmware passwords are more suited for securing your computer the hardware way. If you are concerned that someone may fiddle with your Firmware and it's settings, you might need a whole different security guide. I'm trying to harden, aka, break future exploits, on your Mac, the great majority being remote internet exploits.
    • Advocate, on 10/12/2007, -0/+1even the OF PW can be broken by the ram trick... unless you also padlock your case :)
      ...and a bolt cutter would fix that! arg!
  • frozendice, on 10/12/2007, -1/+2Get Little Snitch

    Set an open firmware password and change the security setting to where you can't boot cds.

    For the terminal users, enable “Secure Keyboard Entry” via File menu.

    !!!! Turn on 'Secure Virtual Memory' in the Security pane of System Preferences, enable file vault or create a dmg to keep important stuff in.


    Turn off Automaticly Login and under "login options" select name and password.

    Enable firewall logging, block UDP traffic, and enable stealth mode via “Advanced” options after you enable firewall.

    Gmail settings incoming:pop.gmail.com outgoing:smtp.gmail.com USE SSL!

    SECURITY SETTINGS: MUST BE DONE FIRST BEFORE CONNECTING TO INTERNET
    Turn on firewasll(not on by default), and disable any services running.

    set software update to daily!

    require admin pass to create computer to computer networks

    Change master keychain pass from login.

    Of course don't run as an admin all the time.
  • mmmgood, on 10/12/2007, -3/+2Pitiful article. No digg.
  • aristotle0dude, on 10/12/2007, -0/+2All you need is to regularly run the software updates and a hardware firewall. You can even set it to download updates in the background.

    Disabling the ability for any random Bluetooth device to pair with your mac is a good idea too. I turn BT off when I'm not using it.
  • dvgraphics, on 10/12/2007, -1/+2FileVault is the most dangerous thing built into OS X. I've seen more data become corrupted and locked in it's own FileVault hell because some minor thing happened.
  • MeatFlaps, on 10/12/2007, -0/+1My god do I hate the white text on a black background. It makes my eyes go crazy. Nice article though.
  • krayzee911, on 10/12/2007, -0/+1Good tips, but I can't read any further than the first page. The whole "I'm a douchebag and you're just a stupid pitful user" tone in the writing turned me off from reading further.
  • nandabanaotakun, on 10/12/2007, -0/+2Funny; this article made my computer less secure by telling me that my secure virtual memory setting is slowing performance.
  •  

    Login or register to add a comment

    Create a new account or login to join in the conversation on Digg. You'll also be able to Digg stories to help promote things you like.


© Digg Inc. 2008 — Content posted by Digg users is dedicated to the public domain.
DIGG, DIGG IT, DUGG, DIGG THIS, Digg graphics, logos, designs, page headers, button icons, scripts, and other service names are the trademarks of Digg Inc.